Noel J. Bergman wrote:
> Roy T. Fielding wrote:
>
>> There is no reason for a separate repository. [A separate repo] does not
>> help protect "users" from incubator code, since users don't set the Maven
>> configs that define which repos to use and which modules are dependencies.
>> At best, what it does is add an irrelevant incubator layer on top of all
> Maven
>> repo requests that masks the "normal" repo path from developers,
> introduces
>> another way to inject insecure code, and wastes our bandwidth sending 404
>> responses to automated build requests.
>
>> the user never makes a decision regarding incubator code in the Maven
> repo.
>> The user is either going to pull the incubator release directly and then
> build it
>> using Maven with the provided pom, or some other project is going to make
> a
>> decision to add the artifact (with incubator in its name) as a dependency.
> The
>> Maven repo path is irrelevant to the user's decisions
>
>> Yes, it would be nice if Maven was more secure, properly checked
> signatures,
>> and properly delegated namespaces so that third-parties would be unable to
>> add artifacts within other org's trees. None of those issues are specific
> to incubator.
>
> I am forced to agree with Roy on these points. Until the Maven PMC stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of banning
> use of the public Maven repositories entirely.
+1.
If this was how debian ran packages or freebsd managed the ports
collection, there would of already been an exploit incident.
We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.
> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
> Maven's flaws were addressed, but unfortunately, I doubt that there is a
> consensus to do so. At least not until there is an actual exploit in the
> wild, at which point the Maven PMC might finally open its eyes in panic.
I'm not involved in Maven at all, I can understand a project skimping on
more complicated security issues early on -- but at this point Maven
seems like a well established project that isn't just an experiment --
people will be using it in mass for years to come. For the security
infrastructure to be completely missing, to me, is completely
unacceptable in an ASF Project.
> However, the Maven repository situation has little to do with the need for
> an Incubator.
I agree :-)
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org